Access control
Access Control
Access control in Apiable authorizes your API consumers with OAuth2 scopes, so each subscriber gets exactly the access their plan grants instead of an all-or-nothing API key.
Access control in Apiable authorizes your API consumers with OAuth2 scopes. Each subscriber receives a token carrying exactly the access their plan grants, instead of an all-or-nothing API key.
How does access control work in Apiable?
You define scopes for your APIs, assign them to a plan, and approve the access consumers request. Your authorization server then issues each subscriber a token carrying only the scopes they hold.
- Define scopes for your APIs under Catalog → Resource Groups.
- Assign scopes to a plan on its Access Control tab, each as Active, Optional, or Restricted.
- Handle grant requests as consumers ask for Optional and Restricted scopes from the API Portal.
What do the Active, Optional, and Restricted states mean?
Each scope on a plan gets one state, which decides how a subscriber receives it.
| State | Behavior |
|---|---|
| Active | Every subscriber receives this automatically. |
| Optional | Subscribers can request this. |
| Restricted | Requires approval with business justification. |
What do you need before you start?
- Scope-based access control enabled on your account, shown by the Scopes banner.
- A connected authorization server, Keycloak or Auth0, under Integrations → Authorization Servers.
- Scopes defined for your APIs under Catalog → Resource Groups.
Where to start
Scopes
What a scope is and how a scoped request gets authorized end to end.
Assign scopes to a plan
Set each scope to Active, Optional, or Restricted on the plan's Access Control tab.
Scope grants
How consumers request Optional and Restricted scopes, and how you approve them.
Authorization Servers
Connect Keycloak or Auth0 to issue the scoped tokens.